Since the implementation of mandatory reporting of Notifiable Data Breaches (NDB) in 2018 we have had a number of opportunities to see the mechanics of data breaches and the reporting system in action. From the cause of the breach to the nature of the data accessed and the impact on the organisation it has been a reality check to understand and be involved in the investigation of these events through response to reporting to identifying affected individuals. One of the surprises has been the effort required to identify the individuals impacted by the breach and the nature of the personal information that has been accessed for each individual. The concept seems simple but when you look at the tools available in most organisations it quickly becomes clear that external help is going to be needed to help identify the individuals impacted. Add up the cost of detection, response (organisational AND emotional), remediation, assessing the data that has been accessed and distraction from core business it's clear that this isn't a simple or cheap task. Add to that any jurisdictional or legislative burden and the weight/impact/cost of the event rapidly increases. The statistics I have embedded in the heading of this article are for April - June 2019 and show 245 notifications for the period, the majority of which result from a malicious attack. Evidence enough that this is a real risk for business. It's a repetitive message but unpatched servers and unsecured cloud systems (including email) are the most common vehicle for illegal access to organisational data. Prevention v cure. If you need any assistance in assessing your business systems or responding to an event, give me a call to discuss. David Caldwell Director
Forensic IT
Comments